Performing a “Cold-Boot” Proof of Concept Without Princeton’s Bit-Unlocker

Most in the information security community have heard of the “cold-boot” attack against encryption products that was recently released by Princeton. They put out a video demonstration that showed how they could read encryption keys right out of RAM even after the machine had been rebooted.

The big story here really comes from two things:

Sensitive information is stored in memory while your computer is running.

RAM isn’t as volatile as people thought it was.

What Princeton showed was that you could take a machine down hard (which keeps computers from cleaning up their memory), immediately boot to a system that dumps the contents of RAM, and then extract sensitive information from the content you dumped.

I was asked at work to try and replicate this behavior at work, so I contacted the group at Princeton and asked for a copy of Bit-Unlocker. They informed me that the tool is not available to the public. So I put out some feelers here on the blog and via a couple of other resources and found another option.

Msramdump

What Princeton showed was that you could take a machine down hard (which keeps computers from cleaning up their memory), immediately boot to a system that dumps the contents of RAM, and then extract sensitive information from the content you dumped.

A reader by the name of Dwight pointed me to a tool by the name of msramdump, which was exactly what I was looking for. Msramdump uses SysLinux and some Windows utilities to allow one to boot a Windows system from a USB disk (in my case a 4GB thumb drive) and dump the RAM as it currently exists.
What I’ve Done So Far

The tool works. I built myself an msramdump drive yesterday and was able to successfully dump the memory from a Windows XP laptop. I then pulled that captured data onto another Linux box and captured the output of running strings against the same data.

The results were very interesting – even without using any cooling techniques.

As part of my first test I performed a simple Google search for my last name (miessler) on the Windows XP box after logging in with some test domain Active Directory credentials. After cutting power to the laptop and capturing the image I was able to find two interesting pieces of information, and this is within a few seconds of grepping the strings output.

I found a highly legible and mostly unmangled copy of my Google search — including my exact search term (miessler).

Even more interestingly, I found all sorts of interesting Active Directory information, most notably my current AD password — albeit in a slightly mangled state due to the RAM decay.

That second one tripped me out, and I’m going to confirm it tomorrow, but if I can actually pull AD passwords out of memory using this technique — without even using any cooling — that’s going to blow my mind. I wasn’t even aware that Active Directory passwords were stored in memory in plain text.

Next Steps

Confirm that I can pull Active Directory passwords out of memory.

Start searching for the keys used by various encryption products.

I’ll be working on these tomorrow and will update the post tomorrow night. If you have any questions, thoughts, or ideas hit me over email or through the comments below:.